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Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of 
security protocols. In the framework of the applied pi calculus, as in similar languages based 

1^^ ' on equational logics, knowledge is typically expressed by two relations: deducibility and static 

equivalence. Several decision procedures have been proposed for these relations under a variety 
of equational theories. However, each theory has its particular algorithm, and none has been 

r 1 ' implemented so far. 

^J , We provide a generic procedure for deducibility and static equivalence that takes as input 

any convergent rewrite system. We show that our algorithm covers most of the existing decision 
procedures for convergent theories. We also provide an efficient implementation, and compare it 
briefly with the tools ProVerif and KiSs. 
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^^ . Understanding security protocols often requires reasoning about the information 

accessible to an on-line attacker. Accordingly, many formal approaches to secu- 
rity rely on a notion of deducibility [Lowe 1996; Millen and Shmatikov 2001] that 
models whether a piece of data, typically a secret, is retrievable from a finite set of 
messages. Deducibility, however, does not always suffice to reflect the knowledge of 
C^ ' an attacker. Consider for instance a protocol sending an encrypted Boolean value, 

say, a vote in an electronic voting protocol. Rather than deducibility, the key idea 
to express confidentiality of the plaintext is that an attacker should not be able to 
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distinguish between the sequences of messages corresponding to each possible value. 
(Such security considerations typically motivate the use of randomized encryption.) 

In the framework of the applied pi-calculus [Abadi and Fournet 2001], as in sim- 
ilar languages based on equational logics [Blanchet et al. 2008] , indistinguishability 
corresponds to a relation called static equivalence: roughly, two sequences of mes- 
sages are statically equivalent when they satisfy the same algebraic relations from 
the attacker's point of view. Static equivalence plays an important role in the study 
of guessing attacks (e.g. [Corin et al. 2004; Baudet 2005; Abadi et al. 2006]), as 
well as for anonymity properties and electronic voting protocols (e.g. [Delaune et al. 
2009] ) . Static equivalence is also used for specifying privacy in the context of RFID 
protocols [Arapinis et al. 2009]. In several cases, this notion has also been shown 
to imply the more complex and precise notion of cryptographic indistinguishabil- 
ity [Baudet et al. 2005; Abadi et al. 2006], related to probabilistic polynomial-time 
Turing machines. Two sequences of messages are cryptographically indistinguish- 
able when their corresponding bit-string implementations are indistinguishable to 
any probabilistic polynomial-time Turing machine. 

We emphasize that both deducibility and static equivalence apply to observa- 
tions on finite sets of messages, and do not take into account the dynamic behav- 
ior of protocols. (This justifies the expression static equivalence.) Nevertheless, 
deducibility is used as a subroutine by many general decision procedures [Comon- 
Lundh and Shmatikov 2003; Chevalier et al. 2003]. Besides, it has been shown that 
observational equivalence in the applied pi-calculus coincides with labeled bisimu- 
lation [Abadi and Fournet 2001], that is, corresponds to checking a number of static 
equivalences and some standard bisimulation conditions. 

Deducibility and static equivalence rely on an underlying equational theory for 
axiomatizing the properties of cryptographic functions. Many decision procedures 
[Abadi and Cortier 2006; Cortier and Delaune 2007] have been proposed to compute 
these relations under a variety of equational theories, including symmetric and 
asymmetric encryptions, signatures, exclusive OR, and homomorphic operators. 
However, except for the class of subtcrm convergent theories [Abadi and Cortier 
2006], which covers the standard flavors of encryption and signature, each of these 
decision results introduces a new procedure, devoted to a particular theory. Even 
in the case of the general decidability criterion given in [Abadi and Cortier 2006] , 
we note that the algorithm underlying the proof has to be adapted for each theory, 
depending on how the criterion is fulfilled. 

Perhaps as a consequence of this fact, none of these decision procedures has been 
implemented so far. When we began this work, the only tool able to verify static 
equivalence was ProVerif [Blanchet 2001; Blanchet et al. 2008]. This general tool 
can handle various equational theories and analyze security protocols under active 
adversaries. However termination of the verifier is not guaranteed in general, and 
protocols are subject to (safe) approximations. Since then, a new tool, called KiSs, 
has been developed [Ciobaca et al. 2009]. The procedure implemented in KiSs has 
many concepts in common with a preliminary version of this work [Baudet et al. 
2009] but targets a different class of equational theories. 

The present work aims to fill this gap between theory and implementation and 
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propose an efficient tool for deciding deducibifity and static equivalence in a uniform 
way. It is initially inspired from a procedure for solving more general constraint 
systems related to active adversaries and equivalence of finite processes, presented 
in [Baudet 2005], with corrected extended version in [Baudet 2007] (in French). 
However, due to the complexity of the constraint systems, this decision procedure 
was only studied for subterm convergent theories, and remains too complex to 
enable an efficient implementation. 

Our Contributions. In this paper, we provide and study a generic procedure for 
checking deducibility and static equivalence, taking as input any convergent theory 
(that is, any equational theory described by a finite convergent rewrite system). 
We prove the algorithm sound and complete, up to explicit failure cases. Note 
that (unfailing) termination cannot be guaranteed in general since the problem 
of checking deducibility and static equivalence is undecidable, even for convergent 
theories [Abadi and Cortier 2006] . To address this issue and turn our algorithm into 
a decision procedure for a given convergent theory, we provide two criteria. First, we 
define a syntactic criterion on the rewrite rules that ensures that the algorithm never 
fails. This criterion is enjoyed in particular by any convergent subterm theory, as 
well as the theories of blind signature and homomorphic encryption. Termination 
often follows from a simple analysis of the rules of the algorithm: as a proof of 
concept, we obtain a new decidability result for deducibility and static equivalence 
for the prefix theory, representing encryption in CBC mode. Second, we provide 
a termination criterion based on deducibility: provided that failure cannot occur, 
termination on a given input is equivalent to the existence of some natural finite 
representation of deducible terms. As a consequence, we obtain that our algorithm 
can decide deducibility and static equivalence for all the convergent theories shown 
to be decidable in [Abadi and Cortier 2006]. 

Our second contribution is an efficient implementation of this generic procedure, 
called YAPA. After describing the main features of the implementation, we report 
several experiments suggesting that our tool computes static equivalence faster 
and for more convergent theories than the general tool ProVerif [Blanchet 2001; 
Blanchet et al. 2008] . We also outline the main differences between YAPA and the 
recent tool Kiss. 

Outline. We introduce our setting in Section 2, in particular the notion of term 
algebra and equational theory, that are used to model cryptographic primitives. 
Deducibility and static equivalence are defined in Section 3. We describe our pro- 
cedure in Section 4 and prove its correctness and completeness in Section 5. We 
provide criteria for preventing failure in Section 6 and for ensuring termination in 
Section 7. The implementation of our procedure is discussed in Section 8. Some 
concluding remarks and perspectives can be found in Section 9. A number of tech- 
nical proofs have been postponed to the appendix to ease the presentation. 

2. PRELIMINARIES 

2.1 Term algebra 

We start by introducing the necessary notions to describe cryptographic messages 
in a symbolical way. For modeling cryptographic primitives, we assume given a 
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set of function symbols J- together with an arity function ar : J-" — > N. Symbols 
in T of arity are called constants. We consider a set of variables X and a set 
of additional constants W called 'parameters. The (usual, first-order) term algebra 
generated by J- over W and X is written J^[>V U X\ with elements denoted by 
T,U,Ti . . . More generally, we write J'' [A] for the least set of terms containing a 
set A and stable by application of symbols in J^' C J^. 

We write var(T) (resp. par(r)) for the set of variables (resp. parameters) that 
occur in a term T. These notations are extended to tuples and sets of terms in the 
usual way. The set of positions of a term T is written pos(T) C N*, and its set of 
subterms st(T). The subterm of T at position p £ pos(r) is written T\p. The term 
obtained by replacing T\p with a term U in T is denoted T[U]p. 

A (finite, partial) substitution a is a mapping from a finite subset of variables, 
called its domain and written dom{a), to terms. The image of a substitution is 
its image as a mapping im(cr) = {(j{x) \ x G dom(cr)}. Substitutions are extended 
to endomorphisms of J^lX U W] as usual. We use a postfix notation for their 
application. A term T (resp. a substitution a) is ground if var(T) = (resp. 
var(im(cr)) — 0). 

For our cryptographic purposes, it is useful to distinguish a subset J-pub of J-, 
made of public function symbols, that is, intuitively, the symbols made available 
to the attacker. A recipe (or second-order term) M, N, Mi... is a term in 
•^pub[VV U X], that is, a term containing no private (non-public) function symbols. 
A plain term (or first-order term) t, r, s, ti. . . is a term in J-'[A'], that is, contain- 
ing no parameters. A (public, ground, non-necessarily linear) n-ary context C is a 
recipe in J^pub[wi, . . . , w„], where we assume a fixed countable subset of parameters 
{wi, . . . , w„, . . .} C W. If C is a n-ary context. C[Ti, . . . , r„] denotes the term 
obtained by replacing each occurrence of w^ with Ti in C. 

2.2 Rewriting 

A rewrite system TZ is & finite set of rewrite rules I — >■ r where l,r E J^[X] and such 
that var(r) C var(^). A term S rewrites to T by TZ, denoted S — s-tj T, if there exist 
I -^ r in TZ, p € pos(S') and a substitution a such that S\p = la and T = S[ra]p. 
We write -^^ for the transitive closure of —^7?., -^^ for its reflexive and transitive 
closure, and =iz for its reflexive, symmetric and transitive closure. 

A rewrite system TZ is convergent if it is: 

— terminating, i.e. there is no infinite chains Ti -^-ji T2 -^-r . . .; and 
— confluent, i.e. for every terms S, T such that S =-ti T, there exists U such that 
S ^"^U and T ^^j U. 

A term T is TZ-reduced if there is no term S such that T — >7j S. If T -^^ S 
and S is 7?.-reduced then S* is a TZ-reduced form of T. When this reduced form is 
unique (in particular if TZ is convergent), we write S ~ T'Itj (or simply T], when TZ 
is clear from the context). 

2.3 Equational theories 

We equip the signature J- with an equational theory represented by a set of equa- 
tions £ of the form s ~ t with s,t E J-[X]. The equational theory E generated by £ 
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is the least set of equations containing £ that is stable under the axioms of congru- 
ence (reflexivity, symmetry, transitivity, application of function symbols) and under 
application of substitutions. We write =e for the corresponding relation on terms. 
Equational theories have proved very useful for modeling algebraic properties of 
cryptographic primitives (see e.g. [Cortier et al. 2006] for a survey). 

We are particularly interested in theories E that can be represented by a con- 
vergent rewrite system TZ, i.e. theories for which there exists a convergent rewrite 
system TZ such that the two relations =ii and =e coincide. The rewrite system TZ 
— and by extension the equational theory E — is weakly suhterm convergent if, in 
addition, we have that for every rule Z — >■ r G 7?,, r is either a subterm of Z or a 
ground 7?.-reduced term. This class encompasses the class of subterm convergent 
theories used in [Abadi and Cortier 2006] (for every rule Z ^ r G 7?,, r is a sub- 
term of Z or a constant), the class of dwindling theories used in [Anantharaman 
et al. 2007] , and the class of public-collapsing theories introduced in [Delaune and 
Jacquemard 2004]. 

Example 2.1. Consider the signature Jenc = {dec, enc, (_,_), projj^, projj}. The 
symbols dec, enc and (_, _) are functional symbols of arity 2 that represent respec- 
tively the decryption, encryption and pairing functions, whereas projj^ and proJ2 
are functional symbols of arity 1 that represent the projection function on the first 
and the second component of a pair, respectively. The equational theory of pair- 
ing and symmetric (deterministic) encryption, denoted by Eenc, is generated by the 
equations 

£enc = {dec(enc(a:,2/),y) =x, proJi((a;, y)) = x, proJ2((a;, y)) = y}. 

Motivated by the modeling of the ECB mode of encryption, we may also consider 
an encryption symbol that is homomorphic with respect to pairing: 

F ^P I I / enc((x,y),z) = (enc(a;,z),enc(y,z)) 
^*^°'^"^^""^\dec((a;,y),z) ^ (dec(a;, z), dec(y, z)) 

If we orient the equations from left to right, we obtain two rewrite systems T^enc 
and T^hom- Both rewrite systems are convergent, only 7?.enc is (weakly) subterm 
convergent. Other examples of subterm convergent theories can be found in [Abadi 
and Cortier 2006]. 

From now on, we assume given a equational theory E represented by a convergent 
rewrite system TZ. A symbol / is free if / does not occur in TZ. In order to model 
(an unbounded number of) random values possibly generated by the attacker, we 
assume that J-"pub contains infinitely many free public constants. We will use free 
private constants to model secrets, for instance the secret keys used to encrypt a 
message. Private (resp. public) free constants are closely related to bound (resp. 
free) names in the framework of the applied pi calculus [Abadi and Fournet 2001]. 
Our formalism also allows one to consider non-constant private symbols. 

3. DEDUCIBILITY AND STATIC EQUIVALENCE 

In order to describe the cryptographic messages observed or inferred by an attacker, 
we introduce the following notions of deduction facts and frames. 
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A deduction fact is a pair, written M \> t, made of a recipe M S /pub[VV U X] 
and a plain term t G J^[<Y]. Such a deduction fact is ground if var(M, i) = 0. A 
frame, denoted by letters ip, $, $o- • ■ , is a finite set of ground deduction facts. The 
image of a frame is defined by im(<l') = {t \ M [> t G <J>}. A frame $ is one-to-one 
if Ml > i, M2 > i G $ imphes Mi = Ah- 

A frame ip is initial if it is of the form tp = {wi t> ti, . . . ,Wi > ti} for some 
distinct parameters wi, . . . , wi G W. The parameters Wi can be seen as labels that 
refer to the messages observed by an attacker. Initial frames are closely related 
to the notion of frames in the applied pi-calculus [Abadi and Fournet 2001]. The 
only difference is that, in initial frames, values initially unknown to an attacker 
are modeled by private constants while they are modeled by restricted names in 
the applied pi-calculus. Name generation and binding are important features of 
the (general) applied calculus but are unessential when considering finite processes, 
and in particular frames. Given such an initial frame ip, we denote by dom((y9) its 
domain dom((^) = {wi, . . . , Wi}. If par(Af ) C dom((^), we write Mip for the term 
obtained by replacing each Wi by ti in M. We note that if in addition M is ground 
then t = Mip is a ground plain term. 

3.1 Deducibility, recipes 

Classically (see e.g. [Abadi and Cortier 2006]), a ground term t is deducible modulo E 
from an initial frame ip, written ip \-£ t, if there exists M G J^pub[dom((p)] such that 
Mip =E t. This corresponds to the intuition that the attacker may compute (infer) t 
from ip. For the purpose of our study, we generalize this notion to arbitrary (i.e. 
non-necessarily initial) frames, and even sets of (non-necessarily ground) deduction 
facts (/), using the notations \>^ and >! defined as follows. 

Definition 3.1 Deducibility. Let </> be finite set of deductions facts. We say that 
M is a recipe of t in </>, written M O^ t, if there exist a (public, ground, non- 
necessarily linear) n-ary context C and some deduction facts Mi t>ti, . . . , M„ O i„ 
in (j) such that M = C[Mi, . . . , M„] and t = C[ti, . . . , i„]. In that case, we say that 
t is syntactically deducible from 0, also written (f)\~ t. 

We say that M is a recipe of t in (f) modulo E, written M O^ t, if there exists 
a term t' such that M O^ t' and t' =e t. In that case, we say that t is deducible 
from (j) modulo E, written hg t. 

We note that M t>^p t is equivalent to Mp = t when p is an initial frame and 
when t (or equivalently M) is ground. We also note that in the case of a frame ip, 
since our contexts C are ground and public, M \>^ t implies var(M, i) = and 
par(M) C par((y9). 

Example 3.2. Consider the equational theory Eenc described in Example 2.1. 
Let pq = {wi [> enc(co, k), W2 [> k} where Cq is a public constant and k is a private 
constant. We have that (^0 is a set of deduction facts. Since, these facts are 
ground, (po is actually a frame. Moreover, this frame is initial. We have that 
(w2, W2) O^o (k, k), Co >^o Co, and dec(wi, W2) [>^7 Co. 
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3.2 Static equivalence, visible equations 

Deducibility does not always suffice for expressing the knowledge of an attacker. 
In particular, it does not account for the partial information that an attacker may 
obtain about secrets. Sometimes, the attacker can deduce exactly the same set 
of terms from two different frames but he could still be able to tell the difference 
between these two frames. This issue motivates the study of visible equations and 
static equivalence (see [Abadi and Fournet 2001]), defined as follows. 

Definition 3.3 Static equivalence. Let ip be an initial frame. The set of visible 
equations of ip modulo E is defined as 

eq^iip) ^{MtxiN\ A/, N e J-p,b[dom(v9)], Mip ==e Nip} 

where ixi is a dedicated commutative symbol. Two initial frames (pi and (p2 with 
the same domain are statically equivalent modulo E, written ipi we 'P'2, if their sets 
of visible equations are equal, i.e. eq^{(pi) = eq^{(p2)- 

This definition is in line with static equivalence in the applied pi calculus [Abadi 
and Fournet 2001] where bounds names would be replaced by free private constants. 

Example 3.4. Consider again the cquational theory Eenc given in Example 2.1. 
Let ipo = {wi [> enc(co, k), W2 [> k} and (pi — {wi l> enc(ci, k), W2 O k} where Cq, Ci 
are public constants and k is a private constant. We have that: 

— (enc(co,W2) MWi) e cqE_^^^((y9o), and 
— (enc(co,W2) txiwi) ^ eq^^^^iipi). 

Hence, eq^ (vo) ¥" cq^ ((/Si) and the two frames ipo and ipi are not statically 
equivalent. However, it can be shown that {wi [>enc(co, k)} «Ee„c {wi [>enc(ci, k)}. 

For the purpose of finitely describing the set of visible equations cq^{ip) of an 
initial frame, wc introduce quantified equations of the form Vzi,...,Zq.M txi N 
where zi, . . . , Zq G X, q > and var(Af, A^) C {zi, . . . ,Zq}. In what follows, finite 
sets of quantified equations are denoted ^, ^o,- • ■ We write '^ \= M txi N when 
the ground equation M ixi A^ is a consequence of ^ in the usual, first-order logics 
with equality axioms for the relation ixi (that is, reflexivity, symmetry, transitivity 
and compatibility with symbols in J^pub)- When no confusion arises, we may refer 
to quantified equations simply as equations. As usual, quantified equations are 
considered up to renaming of bound variables. 

Example 3.5. Consider the equational theory Ehom given in Example 2.1. Let 
(p = {wi l>enc((co,Ci), k), W2 [> (enc(co, k),enc(ci, k)), W3 [> k} where Cq and Ci are 
public constants and k is a private constant. In the set eqE {yy), we have, among 
others, wi ixi W2 and dec(wi,M) ixi (dec(proj]^(wi), M),dec(proJ2(wi), A/)) for every 
term M G J^pub[dom((/3)]. Indeed, we have that: 

dec(wi, A/)(/3 = dec(enc((co,Ci), k), A/93) 

=E„„,„ (dec(enc(co, k), A'/(y9), dec(enc(ci, k), Mip)) 
=Buo,„ (dec(proJi(wi),A/),dec(proJ2(wi),A/))^ 

This infinite set will be represented with the quantified equation: 

\/z. dec(wi,z) txi (dec(projj(wi),z),dec(proJ2(wi),z)). 
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4. MAIN PROCEDURE 



In this section, we describe our algorithms for checking deducibihty and static 
equivalence on convergent rewrite systems. After some additional notations, we 
present the core of the procedure, which consists of a set of transformation rules 
used to saturate a frame and a finite set of quantified equations. The result of 
the saturation can be seen as a finite description of the dcducible terms and visi- 
ble equations of the initial frame under consideration. We then show how to use 
this procedure to decide deducibility and static equivalence, provided that satura- 
tion succeeds. (Recall that static equivalence and deduction are undecidable for 
convergent theories [Abadi and Cortier 2006].) 

Soundness and completeness of the saturation procedure are detailed in Sec- 
tion 5. We provide sufficient conditions on the rewrite systems to ensure success of 
saturation and termination in Section 6 and Section 7. 

4.1 Decompositions of rewrite rules 

Before stating the procedure, wc introduce the following notion of decomposition 
to account for the possible superpositions of an attacker's context (that is, a recipe 
in our setting) with a left-hand side of rewrite rule. 

Definition 4.1 Decomposition. Let n,p,q be non-negative integers. A (n,p,q)- 
decomposition of a term I (and by an extension of any rewrite rule ^ ^' r) is a 
(public, ground, non- necessarily linear) context D S J^pub[W] such that par(_D) = 
{wi,...,w„+p+5} and / = L)[?i, ...,/„, yi, ..., 2/p, ^i, ..., z,] where 

— li, . ■ . ,ln are mutually-distinct non- variable terms, 

— 2/1, ■ ■ ■ ,yp and zi, . . . , Zq are mutually-distinct variables, and 

—yi,...,yp e vaT{li,...,ln) whereas zi,...,Zq ^ var(/i, . . . , ?„). 

A decomposition D is proper if it is not a parameter (i.e. D ^ Wi). 

In order to avoid unnecessary computations, (n,p, (7)-decompositions are considered 
up to permutations of parameters in the sets {wi, . . . , w„}, {w„+i, . . . , w„+p} and 
{w„+p+i, . . . , \Nn+p+q} respectively. 

Example 4.2. Consider the rewrite rule dec(enc(a;, y),y) — > x. This rule admits 
two proper decompositions up to permutation of parameters: 

— Di = dec(enc(wi, W2), W2) where n = 0, p = 0, q = 2, zi ^ x, Z2 ~ y; 
— Z?2 = dec(wi,W2) where n ^ 1, p = 1, q = 0, li = er\c{x,y) and j/i = y. 

Now, consider the rewrite rule dec{{x, y),z) — ;> (dec(.T, z),dec(y, z)). This rule 
also admits two proper decompositions: 

— D3 = dec((wi, W2), W3) where n = 0, p = 0, q = 3, zi ~ x, Z2 — y, Z3 — z; 
— D4 = dec(wi,W2) where n — 1, p — 0, q — 1, li = {x,y), zi = z. 

4.2 Transformation rules 

To check deducibility and static equivalence, wc proceed by saturating an initial 
frame, adding some deduction facts and equations satisfied by the frame. We 
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A. Inferring deduction facts and equations by context reduction 

Assume that 

I = D[li, . . . , l„,yi, . . . ,yp, zi, . . . , Zq] is a proper decomposition of (i — )■ r) G 7^ 

Ml >ti,...,M„+p\>t„+p G * 

{h,--- ,ln,yi,- ■ ■ ,J/p)o- = (ti, . . . ,i„+p) 

(1) If there exists M = Ctx(<I> U {zi t> zi, . . . ,Zq t> Zq} h^ ra), then 

($, ^) ^ (#, * U {VZI, . . . , Zq.DlMl, ..., Mn+p, Zl...,Zq]tXi M}) (A.l) 

(2) Else, if {r(j)].-j^ is ground, then 

* U {Vzi, . . . , Zq.D[Mi, ..., M„+p, zi . . . , z,] M Mo}) 
where Mq = D[Mi, . . . , M„^p, a, . . . , a] for some fixed public constant a. 

(3) Otherwise, ("fi, *) ^ ± (A.3) 

B. Inferring deduction facts and equations syntactically 

Assume that Mo > to, ■ ■ • , Mn > tn & ^ t = /(ti , . . . , t„) G st(io) / G Jpub 

(f ) If there exists M such that (M > t) G <I>, 

($,-1-) => (-I-, *U{/(Mi,...,M„) mM}) (B.l) 

(2) Otherwise, ($,*) ^ (<I-U {/(Ml,..., M„) >t},'^) (B.2) 

Fig. 1. Transformation rules 

consider states that are either the failure state _L or a couple ($, ^) formed by a 
one-to-one frame $ in 7?.- reduced form and a finite set of quantified equations ^. 

Given an initial frame ip, our procedure starts from an initial state associated 
to ip, denoted by Init((^), obtained by reducing ip and replacing duplicated terms 
by equations. Formally, Init((y9) is the result of a procedure recursively defined as 
follows: lnit(0) = (0,0), and assuming Init(93) = ($,^), we have 

I ($,^1* U jit; ix: w'l) if there exists some «;'> ^1,7 e $ 
Initi If ^S {w [> t}) = < ) ' , \ 

[ ($ U {w [> 4,^}, *) otherwise. 

Example 4.3. Consider the frames ipo-, ^i and if introduced respectively in Ex- 
ample 3.4 and Example 3.5. We have that lnit{ipo) = {ipQ,$), Init(iy9i) = (<y5i,0) 
and Init(iy9) = ({wi [> (enc(co, k), enc(ci, k)), W3 O k}, {wi ix] W2}). 

The main part of our procedure consists in saturating a state (<&, ^) by means 
of the transformation rules described in Figure 1. The A rules are designed for 
applying a rewrite step on top of existing deduction facts. If the resulting term 
(rcr)4,7j is already deducible (in some specific sense that we make precise below) 
then a corresponding equation is added (rule A.l); or else if it is ground, the corre- 
sponding deduction fact is added to the state (rule A.2); otherwise, the procedure 
may fail (rule A.3). The B rules are meant to add syntactically deducible subterms 
(rule B.2) or related equations (rule B.l). 

For technical reasons, rule A.l is parametrized by a function Ctx that outputs 
either a recipe M or the special symbol _L. This function has to satisfy the following 
properties: 
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(a) if h 47J, then Ctx(0 V-\ t) ^ ±; 

(b) if M — Ctx(0 h^ t) then there exists s such that AI [>0 s and t — >^ s. (This 
justifies the notation h^ t used to denote a specific deducibihty problem.) 

Property (a) ensures that the rules transform a state into a state (and more precisely 
that the resulting frame in (A. 2) is still one-to-one). Property (b) guarantees the 
soundness of the new equation in (A.l). Requiring t — >^ s instead t =e s is 
necessary for the proof of completeness. In what follows, a function Ctx is any 
function satisfying the two properties (a) and (b). 

A simple choice for Ctx((/) \-'^ t) is to solve the deducibility problem h' tl^ 
in the empty equational theory, and then return a corresponding recipe Af , if any. 
(This problem is easily solved by induction on ^^,7^.) We will see in Section 6 that 
this choice is sufficient to avoid failure for a large class of equational theories, namely 
the class of layered convergent theories. However the proof of this fact relies on an 
intermediate result that uses a different choice of Ctx. 

Example 4.4. Consider the frame <po previously described in Example 3.4. We 
can apply rule A.l as follows. Consider the rewrite rule dec(enc(a;,y), y) — > x, 
the decomposition D2 given in Example 4.2 and ti = enc(co,k). We have that 
Init((^o) = (<^Oj0) =^ (v^o, {dec(wi,W2) txi Cq}). In other words, since we know the 
key k through W2, we can check that the decryption of Wi by W2 leads to the public 
constant Cq. Next we apply rule B.l as follows: 

((^o,{dec(wi,W2) txi Co}) =^ {(po, {dec(wi,W2) ixi cq, enc(co, W2) txi wi}). 

No more rules can then modify the state. Similarly for ipi, we obtain that: 

Init(v?i) = {if 1, 9) 

=^ (^i,{dec(wi,W2) MCi}) 

=^ ((pi,{dec(wi,W2) M Ci,enc(ci,W2) ex wi}). 

Example 4.5. Consider the frame ip described in Example 3.5. We can apply 
rule A.l as follows. Consider the rewrite rule dec((a;, y),z) -^ (dec(x, z), dec{y, z)), 
the decomposition D4 given in Example 4.2 and ti = (enc(co, k),enc(ci, k)). We 
have that rcr ~ (dec(enc(co, k), zi), dec(enc(ci, k), zi)), and thus Init{Lp) =^ ±. We 
have that ra],^ = ra. The condition required in case (1) is not fulfilled and the 
condition stated in case (2) is false. 

However, note that another strategy of rules application allows us to consider this 
decomposition. For this, it is sufficient to apply first B rules to add the deduction 
facts proj]^(wi) O enc(co, k) and proJ2(wi) O enc(ci, k). Now, we have that ral-j^ is 
syntactically deducible: the condition required in case (1) is full-filled and we finally 
add the equation: Vzi.dec(wi, zi) M (dec(proj;^(wi), zi), dec(proJ2(wi), zi)). 

We write =^* for the transitive and reflexive closure of =>. The definitions of 
Ctx and of the transformation rules ensure that whenever S ==^* S' and S* is a 
state, then S' is also a state, with the same parameters unless S' = _L. 

4.3 Main theorem 

We now state the soundness and the completeness of the transformation rules pro- 
vided that a saturated state is reached, that is, a state 5 7^ _L such that S =^ S' 
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implies S' = S. The technical lemmas involved in the proof of this theorem are 
detailed in Section 5. 

Theorem 4.6 soundness and completeness. Let E be an equational theory 
generated by a convergent rewrite system TZ. Let ip be an initial frame and ($, ^) 
be a saturated state such that Init((p) =>* ($, ^). 

(1) For all M G ^pub[pai'('y5)] and t £ J^[9], we have that: 

Mip =E t ^ 3N such that * |= M M A^ and N l>$ ^Te- 

[2) For all M , N G J^pjb[par((/?) U X], we have that: 

Mip =E Nip ^ ^ \= M t>4 N. 

We note that this theorem applies to any saturated state reachable from the 
initial frame. Moreover, while the saturation procedure is sound and complete, it 
may not terminate, or it may fail if rule A. 3 becomes the only applicable rule at 
some point of computation. In Section 6 and Section 7, we explore several sufficient 
conditions to prevent failure and ensure termination. 

4.4 Application to deduction and static equivalence 

Decision procedures for deduction and static equivalence modulo E follow from 
Theorem 4.6. 

Algorithm for deduction. Let ip be an initial frame and t be a ground term. The 
procedure for checking (p \^Et runs as follows: 

(1) Apply the transformation rules to obtain (if any) a saturated state ($, ^) such 
that Init((p) =^* ($,*); 

(2) Return yes if there exists N such that N l>$ tlji (that is, the 72.-reduced form 
of t is syntactically deduciblc from $); otherwise return no. 

Proof. If the algorithm returns yes, this means that there exists N such that 
N 0$ i^-Tj. Thanks to Theorem 4.6 (1), we have that Nip =e t, i.e. N O^ t. 

Conversely, if t is deducible from ip, then there exists M such that Mip =e t. 
By Theorem 4.6 (1), there exists N such that A l>$ t^^j. The algorithm returns 
yes. D 

Example 4.7. Consider the frame ipo = {wi [> enc(co,k),W2 [> k} introduced in 
Example 3.2 and let ii = (k, k) and ^2 = Cq. Let ($o, *o) be the saturated state 
described in Example 4.4. We have that: 

($0, *o) = i'Po, {dec(wi, W2) 1X3 Co, enc(co, W2) 1x1 wi}). 

Then, it is easy to sec that our algorithm for deduction will return yes for both 
terms ti and ^2- Indeed, those terms are syntactically deduciblc from ipQ. 

Algorithm for static equivalence. Let ipi and ip2 be two initial frames. The pro- 
cedure for checking ipi «£ ip2 runs as follows: 

(1) Apply the transformation rules to obtain (if possible) two saturated states 
($i,*i) and ($2,^2) such that lnit{ip,) =^* ($,;,*0. « = 1,2; 
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(2) For {i,j} — {1, 2}, for every equation (Vzi, . . . , zg.M ix: A^) in ^i, check that 
Mipj ~E N(pj — that is, in other words, {M(pj)l-j^ — {N(pj)l'^; 

(3) If so return yes; otherwise return no. 

Proof. If the algorithm returns yes, this means that M(p2 =e N(p2 for every 
equation (Vzi, . . . , z^.Af ix A^) in ^^i. Let AI \xi N € eq^{(pi). By definition of 
eq^{(fi), we have that Mipi =£ Nipi. Thanks to Theorem 4.6 (2), we have that 
'i'l 1= 7\f ixi N. As aU the equations in ^i are satisfied by (^2 modulo E, we deduce 
that Mtp2 =E N(p2, i.e. M ixi A^ G eq{tp2)- The other inclusion, eq^{(p2) Q eq£((pi), 
is proved in the same way. 

Conversely, assume now that ipi «e </J2, i-e. eq^{(pi) = eq^{ip2)- Consider a 
quantified equation Vzi, . . . , z^.M ixi iV in \I'i and let us show that M(p2 =e N'(p2. 
(The other case is done in a similar way, and we will conclude that the algorithm 
returns yes.) Let Ci,...,C£ be free public constants not occurring in M and N, 
and let {M',N') = {M,N){zi ^ Ci,...,Z£ ^ q}. Since *i h M' ixi N' , by 
Theorem 4.6 (2), we have that M'lpi =e N'lpi. Besides, M' and N' are ground 
and par(M',7V') C par(^i) C par((^i). Thus, {Af c<i N') € eq^i'.pi) C eqE((^2) and 
M'ip2 =E N'(p2. As the constants Ci, . . . , q are free in E and do not occur in M 
and N, by replacement, we obtain that M(p2 =e A''(/J2- D 

Example 4.8. Consider the frames ipi = {wi l> enc(ci,k),W2 > k} introduced in 
Example 3.4. Let ($0,^0) and ($i,'J'i) be the two saturated states described in 
Example 4.4. We have that dec(wi, W2) M Cq G ^O: and 

(dec(Wl,W2)(y5l =Ee„c Cl T^Eenc CQ = Cq'^I. 

Hence, our algorithm returns no. The two frames ipo and (/?i are not statically 
equivalent. 

5. SOUNDNESS AND COMPLETENESS OF THE SATURATION 

The goal of this section is to prove Theorem 4.6. Section 5.1 is devoted to estab- 
lish soundness of our saturation procedure, i.e. the <^ direction of Theorem 4.6. 
Showing the other direction, i.e. completeness, is more involved and is detailed in 
Section 5.2. 

5.1 Soundness 

First, the transformation rules are sound in the sense that, along the saturation 
process, we add only deducible terms and valid equations with respect to the initial 
frame. 

Lemma 5.1 soundness. Let ip he an initial frame and ($,^I') be a state such 
that Init((p) =^* ($,^). Then, we have that 

{1) M\>^t ^ Alifi =E t for all M € Tpub[dom{ip)] and t G J"[0]; 
(2) ^ ^ MixiN => Mip =E Nip for all M,N G J'p,b[dom((^) U X]. 

Proof. Wc prove this result by induction on the derivation Init(iy9) =^* ($, ^). 
Base case: We have that (<&, ^) = lmt{ip) and we easily conclude. 

Induction case: In such a case, we have lmt{ip) =^* ($', ^') =^ ($, ^I*). 
Let us first notice two facts. 
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(1) Let M and t be such that M [>$ t. By definition of [><i,, there exist a pubHc 
context C and some deduction facts M{ > tj, . . . , M'^ O t^ G $ such that M = 
C[M[, . . . M^] and t = C[t'i, . . . ,t'^]. In order to prove 1., it is sufficient to show 
that M' >^t' for every M' \> t' G $. By induction hypothesis, this holds for 
the deduction facts in $', thus it remains to show that M' \>^t' for every fact 
M' [> t' e $ - $'. 

(2) Let M,N be two terms such that "^ \= M fx N. To estabUsh 2., it is sufficient 
to prove that M'lp =e N'lp for every (Vzi, . . . , Zq.M' ixi N') in ^. By induction 
hypothesis, this holds for the equations in ^', thus it remains to show that 
M'ip =E N'tp for every equation (Vzi, . . . , Zq.M' t<i N') in vj/ ~ x]/'. 

Next we perform a case analysis on the inference rule used in ($', ^') =^ ($, ^). 

First, consider the case of rule A. Let / — ?► r G 7^ be the rewrite rule, D the 
decomposition, and Mi \>ti, . . . , Mn+p l> tn+p the facts involved in this step. 

Rule A. 2: Wc need to show that 

—D[Mi, . . . , Mn+p, a, . . . , a].^ ==£ (''ct)!^! and 

— i:'[Mi, . . . , Mn+p, 21, ... , 2;q](/3 =E -D[Afi, . . . , Mn+p, a, . . . , a]((9. 

We note that D[ti, . . . , i„+p, zi,. . . ,Zq] ^ la ^ ra — ;■* (rcr)4.7^. Besides, by induc- 
tion hypothesis we have that Miip =e ti for I < i < n + p. Given that {ra)],-^^ 
is ground, and applying the substitution {zi ^^ a,...,Zq i— > a} to the equation 

D[ti,...,tn+p,zi,...,Zq] =E {ra-)iTz^ "^^ obtain: 

£)[Ml,...,M„+p,Zl,...,Zq](y9 =E D[tl,...,tn+p,Zl,...,Zq] 

= E (7-ct)4-k 

=E D[ti, ■ ■ ■ , tn+p, a, . . . , aj 
=E D[Mi,...,Mn+p,a,...,a]f 

Rule A.l : Wc need to show D[Mi, . . . , Mn+p, zi, . . . , Zq](p =e Alip. As before, we 
have D[Mi, . . . , Mn+p, z\, . . . , Zq]ip =e (ra)]r-ji. ^'^ ^1^° know that there exists s 
such that M l>$+ s and rcr -^^ s where $+ = $ U {zi [> zi, . . . , Zg > z,} thanks 
to property (b) of Ctx. Let 9 be the substitution {zi M- a, . . . , z, i-)- a}. We have 
that M9\>g,s. Hence, using the induction hypothesis, we have that M6if =e s thus 
Mip ~E s, i.e. Mip =E (fcr)4,7j. This allows us to conclude. 

Rule A. 3: In such a case, the result trivially holds. 

Second, wc consider the case of B rules. Let t = /(ti, . . . ,t„) e st(fo); / G J^pub 
and Mo t>to,. . ., Mn [> t„ G <f> be involved in the step (<!>', *') =^ (<!>, *). 

i?M/e B.l: By induction hypothesis, Af^^j ~e U for every 1 < i < n, hence 

f{Mi,...,Mn)ip=Efitl,...,tn)=t. 

Rule B.2: By induction hypothesis, Mi^p =e ii for every 1 < i < n and Mip —£ t, 
hence /(A/i, . . . , Af„)(^ =e /(ii, . . . , i„) = t =e Mip. U 

5.2 Completeness 

The next three lemmas are dedicated to the completeness of B rules (Lemma 5.2 
and Lemma 5.3) and A rules (Lemma 5.4). 



14 • Mathieu Baudet et al. 

Lemma 5.2 ensures that a saturated state ($, ^) contains all the deduction 
facts M [> t where t is a subtcrm of $ that is syntactically deducible, whereas 
Lemma 5.3 ensures that saturated states account for all the syntactic equations 
possibly visible on the frame. 

Lemma 5.2 completeness, syntactic deduction. Let{^,'^) be a state, Mo[> 
to G $. Let N , t be two terms such that t G st(to) and N [>$ t. Then there exists 
($',*') and N' such that: 

— ($, *) ==>* ($', \1>') using B rules, and 
—N' O t e $' and *' h TV 1X1 N' . 

The proof of Lemma 5.2 is postponed to the appendix. It uses a simple induction 
on the context C witnessing the fact that t is syntactically deducible from $. 

Lemma 5.3 completeness, syntactic equations. Let{^,^) be a state, and 
M , N be two terms such that M l>$ t and N l>$ t for some term t. Then there 
exists ($','!'') such that: 

—($,*) =^* ($',*') using B rules, and 
— *' ^M\xiN. 

Proof, (sketch) Let C, C" be the contexts witnessing M l>$ t and N l>$ t. As- 
sume that C is smaller than C". The proof is done by induction on C . When C 
is reduced to an hole, we apply Lemma 5.2 to conclude. Otherwise, we have that 
C = /(Ci, . . . , Cr) and C" = f{C[, . . . , C^). We easily conclude by applying our 
induction hypothesis on Ci, C'^ for each 1 < i < r. The detailed proof is presented 
in appendix A. D 

Now, we know that terms that are syntactically deducible from the frame and 
syntactic equation visible on the frame will be added during our saturation proce- 
dure. It remains to take into account the underlying equational theory. This is the 
purpose of Lemma 5.4 that deals with the reduction of a deducible term along the 
rewrite system Tt. Using that TZ is convergent, this allows us to prove that every 
deducible term from a saturated frame is syntactically deducible. 

Lemma 5.4 completeness, context reduction. Let ($,^) be a state and 
M , t, t' be three terms such that M >$ t and t -^-ji t' . Then, either ($, ^) =^* _L 
or there exist ($',^'), M' and t" such that 

—($,*) =^* ($',*')> 

—M' l><i>' t" with t' -^^ t", and 

— *' h A/ cx M'. 

Besides, in both cases, the corresponding derivation from ($, ^) can be chosen to 
consist of a number of B rules, possibly followed by one instance of A rule involving 
the same rewrite rule I ^>- r as the rewrite step t -^-ji t' . 

Proof, (sketch) The detailed proof of Lemma 5.4 is left to the appendix. We 
describe here its main arguments. Since t — >7j t' , there exist a position a, a substi- 
tution a and a rewrite rule / — ;• r G 7?. such that t\a = la and t' = t[ra]a. Let C be 
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a context witnessing the fact that M >$ t. Since terms in ini($) are 7?.-reduced, a 
is actually a position in C. Thus, the rewriting step mentioned above corresponds 
to a proper (n,p, g)-decomposition D oil: I ~ D[li, . . . , Z„, j/i, . . . j/p, zi, . . . Zg\. We 
can show that M\a >* Icr and D[Mi, . . . , A/„, A^i, . . . , Np+q] l>$ la where 

— Ml > ti, . . . , Mn \> tn are deduction facts in $, 
— for every 1 < j < p, Nj l>$ yjcr, and 
— for every 1 < fc < q, Np+k l>* Zkcr. 

Thus, by Lemma 5.3, there exists a derivation ($, vp) =>* ($i, vj/j) using B rules 
such that *i 1= M\a &< D[Mi, . . . , M„, A^i, . . . , Np+q]. 

Besides, yja is a subterm of some licr = U. Since Nj [>$ y^cr, by applying 
Lemma 5.2 repeatedly, we deduce that there exist some term M„+i, . . . , Mn+p and 
a derivation ($i, ^i) =^* ($2j ^2) using B rules such that for all j, 

— Mn+j > VjCr is in $2, and 

— *2 ^Mn+jtXiNj. 

Let N = -D[A/i, . . . , Mn+p, Np+i, . . . , Np+q]. We deduce that N \>^^ la, and 
*2 N ^-^U ^ ^[A^i, ■ • • , A/„, A^i, . . . , Np+q] M iV 

We now consider the application to ($2 , ^2) of a A rule that involves the rewrite rule 
I -^ r, the decomposition D, the plain terms (ii, . . . , tn+p) = (/i, ...,/„, 2/1, ... , yp)a. 
Depending on whether (rcr)^,^ is ground and Ctx($^ \-j^ ra') = ±, we conclude 
by applying A.l, A. 2 or A. 3. D 

5.3 Main theorem 

We are now able to prove soundness and completeness of our transformation rules 
provided that a saturated state is reached. 

Theorem 4.6 soundness and completeness. Let E be an equational theory 
generated by a convergent rewrite system TZ. Let ip be an initial frame and ($, ^) 
be a saturated state such that Init((p) ==^* ($, ^). 

(i) For all M G J'pub[pSiT{ip)] and t £ -^[0], we have that: 

Mip =E t ^ 3N such that * |= A/ ixi TV and N >$ tl^^. 

(2) For all M , N e J'pub[par((^) U X], we have that: 

Mip =E ^V ^ * h ^^ CXI iV. 

Proof. Let ip be an initial frame and ($,^) be a saturated state such that 
Init((/3) ^* ($,*). 

l.(<=) Let M, N and t be such that vl/ |= A/ txi iV and N [>$ t^-j^ (thus in particular 
N [>| t). Thanks to Lemma 5.1, we have that Mip =e Nip =e t. 

(=>) Let M and t be such that Mip =e t. We have that M >$ io — >■* ^It?. for some 
term ig- We show the result by induction on io equipped with the order < induced 
by the rewriting relation (i < t' if and only if t' ^>+ t). 

Base case: M 0$ io = tin- Let N = M,we have ^ |= A/ txi iV and A^ >$ tl^. 
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Induction case: M l>$ Iq -^^ t^-R- Let t' be such that M l>$ to ^ t' ^'* tl-n- 
Thanks to Lemma 5.4 and since ($, '^) is already saturated^, we deduce that there 
exist N' and t" such that N' [>$ t", i' -^* t", and * ^ Af M iV'. We have that 
N' >$ t" — >■* t4,7j and i" < t' < to. Thus, we can apply our induction hypothesis 
and we obtain that there exists N such that ^ \= N' \xi N and A^ [>$ tiiz- 

2.(^) By Lemma 5.1, 4' |= A/ ixi iV implies M<^ =e Nip. 

(=>) Let A<r and N such that Af(p =e Nip. This means that there exists t such that 
A/(y9 =E t and iVc^s =e t. By applying 1, we deduce that there exists M', N' such 
that: -0 1=: A/ txi 7\f', A/'l>$47j, V |= TV cxi iV' and 7V'[>$47j. Thanks to Lemma 5.3 
and since (<&, ^) is already saturated, we easily deduce that ^I* |= A/' c><i N' , and 
thus ^ \^ MtxiN. D 

We proved that saturated frames yield sound and complete characterizations of 
deduciblc terms and visible equations of their initial frames. Yet, the saturation 
procedure may still not terminate, or fail due to rule A. 3. 

6. NON-FAILURE 

As shown by the following example (from [Ciobaca et al. 2009]), our procedure may 
fail. 

Example 6.1. Consider the theory Emai given below: 

Emai = {clec(enc(.T, y), y) = x, mal(enc(a:, y), z) = enc(z, y)]. 

The ma I function symbol allows one to arbitrarily change the plaintext of an en- 
cryption. Such a malleable encryption is not realistic. It is only used for illustrative 
purpose. 

By orienting from left to right the equations, we obtain a convergent rewrite 
system. Thus, Emai is a convergent equational theory. Let ip = {wi l> enc(s,k)} 
where s and k are private constants. The only rule that is applicable is an instance 
of an A rule. Consider the rewrite rule mal(enc(a;,j/), z) — > enc(z,y) and the only 
deduction fact in Init(iy9) = (<y2, 0)- We obtain ra^i^-j^ — enc(z, k). This term is not 
ground and the condition required in case (1) is not fulfilled. Thus, we have that 
Init((^) => _L. Note that, since no other rule is applicable, there is no hope to find 
a strategy of rule applications to handle this case. 

In this section, we identify a class of theories, called layered convergent theories, 
(a syntactically defined class of theories) for which failure is guaranteed not to 
occur. 

6.1 Layered convergent theories 

We prove that the algorithm never fails for layered convergent theories. Layered 
convergent theories consist in a generalization of subterm theories, considering each 
decomposition of the rewrite rules of the theory. 

Definition 6.2 layered rewrite system. A rewrite system TZ, and by extension 
its equational theory E, are layered if there exists an ascending chain of sub- 
sets = 7^o C 7^l C ... C TZn+i = n {N > 0), such that for every < 



-"^Note that rule A. 3 is never applicable on a saturated state. 
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i < N, for every rule Z — >■ r in TZi+i — TZi, for every (n,p, g)-dcconiposition 
I = D[li, . . . ,ln,yiT ■ ■ ,yp,zi, . . . , Zq], one of the following two conditions holds: 

(i) var(r) C var(/i, . . . , Z„); 
(ii) there exist Cq, Ci, . . . , Cfc and si, . . . , s^ such that 

— r = Co[si,. . . ,Sk]; 

— for each 1 < i < k, Ci[li, . . . , Z„, j/i, . . . , j/p, zi, . . . , Zq] rewrites to Si in zero 
or one step of rewrite rule in head position along TZi. 

In the latter case, we say that the context C ~ Co[Ci, . . . , Ck] is associated to the 
decomposition D oi I ^ r. Note that C[li, ...,/„, yi, ..., j/p, zi, ..., z,] — !>^. r. 

The large class of weakly subterm convergent is an (easy) particular case of 
layered convergent theories. 

Lemma 6.3. Any weakly subterm convergent rewrite system TZ is layered con- 
vergent. 

Proof. Let A^ = and TZi = TZ. For any I -^ r mTZ and for every decomposition 
I = D[Zi, ...,/„, yi, ... ,j/p, zi, ..., Zg], the term r is a subterm of I, thus either 
r = C[/i, . . . , Z„, j/i, . . . , j/p, zi, . . . , Zg] for some context C, or r is a subterm of 
some li thus var(r) C var(Zi, . . . , Z„). D 

Consider the convergent theories of blind signatures Ebiind and prefix encryp- 
tion Epref defined by the following sets of equations. 

{checksign(sign(a;,2/),pub(y)) = ok 
unblind(blind(a;,j/),y) = x 
unblind(sign(blind(a;,y),z),y) = sign(a;, z) 

£pref = Senc U { pref (enc((a;, y),z)) = enc{x, z) ] 

The theory Ebiind models primitives used in e- voting protocols [Delaune et al. 2009]. 
The prefix theory represents the property of many chained modes of encryption 
(e.g. CBC) where an attacker can retrieve any encrypted prefix out of a ciphertext. 

Lemma 6.4. The rewrite system associated to the theory of homomorphism Ehom 
defined in Section 2.3 as well as the rewrite systems obtained by orienting from left 
to right the equations in EbUnd cind Ep^f are layered convergent. 

Proof. Let us check for instance that the prefix theory Epref is layered. Let 
A^ = 1, TZi be the rewrite system obtained from fenc by orienting the equations from 
left to right, and TZ2 ~ TZi U {pref(enc((a;, y), z)) — >• enc(x, z)}. The rewrite rules 
of TZi satisfy the assumptions since TZi forms a convergent subterm rewrite system. 
The additional rule pref(enc((x,2/}, z)) — !> enc(.T,z) admits three decompositions up 
to permutation of parameters: 

— / = pref(/i), in which case var(r) C var(Zi); 

— / = pref(enc(Zi, z)), in which case enc(proJ2(?i), z) —?"r,i f", 

— / = pref (enc((x, y), z)), in which case r = enc(a;, z). 

Verifying that the convergent theories Ehom and EbUnd are layered is similar. D 



18 • Mathieu Baudet et al. 

6.2 A syntactic criterion 

Definition 6.5 Maximal. We say that the function Ctx is maximal if for every (jj 
and t, if there exists s such that (/> h s and t — >^ s, then Ctx((/) h^ i) ^ _L. 

Proposition 6.6. Assume that the function Ctx in use is maximal. Then, 
provided that TZ is layered convergent, there exists no state ($, ^) from which 
(<&, ^) ==^ _L is the only applicable derivation. 

Proof. By contradiction, let ($,^) be a state from which ($,^) =^ -L is 
the only applicable derivation, and let I -^ r be the rewrite rule involved in the 
corresponding instance of A. 3. We prove the property by induction on the index 
i G {0 . . . N} such that I —^ r £ TZi+i — TZi. Using the notations of Figure 1 for the 
instance of A. 3 under consideration and the assumption on Ctx, we have that: 

(a) for every ra — >^ s, $ U {zi 0> zi, . . . ,Zq [> Zq} \f s, and 

(b) {ra)X-j^ is not ground. 

In particular, (b) implies that var(r) is not included in var(/i, . . . , In), otherwise 
we would have 

var((r(T)^7j) C var(r(7) C var(var(r)cr) 

C var(var(Zi, . . . ,Z„)cr) C var(ii,. . .,i„) = 

By assumption on the decomposition I = D[li, . . . ,ln,yi, . . . ,yp,zi, . . . , Zq\ of 
I ^ r £ TZi+i — TZi, we deduce that there exists some contexts Co, . . . , Cfc and some 
terms si, . . . , Sk such that: 

—r = Co[si,...,Sk]; 

— for each 1 < i < k, Ci[li, . . . ,ln, yi, . . . , j/p, zi, . . . , Zq] rewrites to Si in zero or one 
step of rewrite rule in head position along TZi. 

Let C = Ca[Ci,.. .,Ck] and to = C[li, . . . ,l„,yi, . . . ,yp,zi, . . . , Zq]. Note that 
to — >^. r. If to — r, we obtain that ra = C[ti, . . . , i„+p, zi, . . . , Zq] is syntactically 
deducible from $ U {zi [> zi, . . . ,Zq \> Zq}, which contradicts (a). Hence to ^^u- ^' 
and in particular i > 0. 

Let /U be a substitution mapping the variables Zj to distinct fresh public con- 
stants Bj. For each 1 < i < fc, let Ui = Ci[li, ...,/„, j/i, . . . , yp, z\, . . . , Zq\a^ . The 
term Ui ~ Ci[ti, . . . , t„+p, ai, . . . , a^] is syntactically deducible from $, and reduces 
to u[ = SiOfji in zero or one step (in head position) along TZi. 

By induction hypothesis on i — 1, no applicable rule A. 3 from ($, ^) may involve 
a rule in TZi. Besides, by assumption, ($, ^P) is saturated for the rules B.l, B.2, A.l 
and A. 2. Therefore, Lemma 5.4 applied to $ h m^ and Ui -^-jii "^i implies that there 
exists u'l such that u\ — >-^ u'l and $ h u". The same conclusion trivially holds if 
u\ = Ui. Let s = Co[u'/, . . . , u!l^iir^ be the term obtained by replacing each a^ by Zi 
in C[u", . . . , mJ!]. Since the a^ do not occur in TZ nor in $, we deduce that s satisfies 
ra = Co\s\a, . . . ,Ska\ = CqK,. . . ,u'^[r'^ -^\ s and ^U{zi\> zi, . . . ,Zq\>Zq} h s, 
in contradiction with the condition (a) stated at the beginning of the proof. D 
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6.3 Practical considerations. 

Unfortunately, such a maximal Ctx is too inefficient in practice as one has to con- 
sider the syntactic deducibility problem </> h s for every t — >^ s. Proposition 6.7 
below shows that the simple function context is actually sufficient to ensure non- 
failure when we know that another function Ctx already prevents failure on any 
state (reachable or not). 

Proposition 6.7. Let TZ be a convergent rewrite system and Ctxo be an arbi- 
trary function Ctx. // there exists no state ($, ^) from which ($, ^) ==> _L is the 
only applicable derivation when the function Ctx in use is Ctxo, then there exists 
no state ($, ^) from which ($, 4') =^ _L is the only applicable derivation for any 
choice of Ctx. 

Proof. Let Ctxg and Ctxg be two arbitrary functions Ctx {i.e. they satisfy 
properties (a) and (b)). Assume that there exists no state ($, *) from which 
($, ^l/) ==^ _L is the only applicable derivation when the function Ctx in use is Ctxp. 
Assume by contradiction that there exists a state ($o> ^o) from which ($o> ^o) ==> 
_L is the only applicable derivation for Ctxg. This means that there exist: 

— a rewrite rule Z — >■ r G 7?., 

— a proper decomposition D[li, . . . , Z„, j/i, . . . , yp, zi, . . . , Zg] of I, 

— some deduction facts Mi > ti,. . . , M„+p [> tn+p G $o, and 

— a substitution a such that (Zi, . . . , Z„, j/i, . . . , yp)cr = (ti, . . . , tn+p). 

Moreover, since this instance corresponds to an instance of A. 3, we have that 
rcr^Tj is not ground. When the function Ctx in use is Ctxg, this instance has to 
correspond to an instance of A.l (A. 2 and A. 3 arc impossible). Hence, we have 
that Ctxo($o U {zi \> zi, . . . , Zq [> Zq} \-j^ ra) ^ ±. This means that there exists s 
such that ra — >-^ s and $0 U {zi [> zi, . . . , Zg O Zq} h s. Since TZ is convergent, we 
have that s — J'^ 'ra].-ji. 

Let /i be a substitution mapping the variables Zj to distinct fresh public con- 
stants aj. We have that spi -^^ {raX-j^)^ and also that $0 I" sfi. Since ($0, ^0) ==^ 
_L is the only applicable derivation for Ctxp, the rules A. 2, B.l, and B.2 cannot 
be applicable, even for CtxQ. We saturate ($07^0) with the A.l rule for Ctxo, 
reaching a state of the form ($0,^0) since only equations can be added to the 
state. Note also that the A.l rule can only be applied a finite a number of time 
and docs not trigger the other rules. Thus ($o>^o) is saturated for Ctxg. Us- 
ing Lemma 5.4 (with the function Ctxg), we obtain that $0 C> {ra],-j^)fi, and thus 
$0 U {zi > zi, . . . , Zg O Zg} h ra-^-j^. This contradicts the fact that A.l docs not 
apply on {^0, ^0) when the function Ctx in use is Ctxp. Hence, the result. D 

Corollary 6.8. Let TZ be a layered convergent rewrite system and consider an 
arbitrary function Ctx in use. There exists no state ($, ^) from which ($, 4*) =^ _L 
is the only applicable derivation. 

7. TERMINATION 

In the previous section, we have described a sufficient criterion for non-failure. As 
shown by the example given below, this criterion does not ensure the termination 
of our saturation procedure. 
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Example 7.1. Consider the following layered convergent rewrite system f (g(a;)) — > 
g(h(a;)) where f is a public function symbol whereas g and h are private function 
symbols. Let (p = {wo[>g(a)} where a is a private constant. By repeatedly applying 
the A rule on the newly generated deduction fact, we generate an infinite number 
of deduction facts of the form: 

f(wo)[>g(h(a)), f(f(wo))>g(h(h(a)), f(f(f(wo))) > g(h(h(h(a))), ... 

To obtain decidability for a given layered convergent theory, there remains only to 
provide a termination argument. Such an argument is generally easy to develop by 
hand as we illustrate on the example of the prefix theory. For the case of existing 
decidability results from [Abadi and Cortier 2006], such as the theories of blind 
signature and homomorphic encryption, we also provide a semantic criterion that 
allows us to directly conclude termination of the procedure. Note that this semantic 
criterion does not apply only to layered convergent theories but to any convergent 
theories (for which failure is guaranteed not to happen). 

7.1 Termination of B rules 

To begin with, we note that B rules always terminate after a polynomial number 
of steps. Let us write =^" for the relation made of exactly n strict applications of 
rules {S^^S' iSS=^ S' and S ^ S'). 

Proposition 7.2. For every states S = ($, ^) and S' such that S =^" S' using 
only B rules, n is polynomially bounded in the size o/im(<l>). 

This is due to the fact that frames are one-to-one and that the rule B.2 only adds 
deduction facts M t>t such that i is a subterm of an existing term in $. 

7.2 Proving termination by hand. 

For proving termination, we observe that it is sufficient to provide a function s 
mapping each frame $ to a finite set of terms s(<E>) including the subterms of im($) 
and such that rule A. 2 only adds deduction facts M t>t satisfying t G s(^). 

For subterm theories, we obtain polynomial termination by choosing s(<i>) to be 
the subterms of im(<I>) together with the ground right-hand sides of TZ. 

Proposition 7.3. Let E be a weakly subterm convergent theory. For every 
S — (<f>, ^) and S" such that S =>" S' , n is polynomially bounded in the size 
o/im(<I>). 

To conclude that deduction and static equivalence are decidablc in polynomial 
time [Abadi and Cortier 2006], we need to show that the deduction facts and the 
equations are of polynomial size. This requires a DAG representation for terms and 
visible equations. For our implementation, we have chosen not to use DAGs for 
the sake of simplicity since DAGs require much heavier data structures. However, 
similar techniques as those described in [Abadi and Cortier 2006] would apply to 
implement our procedure using DAGs. 

For proving termination for the prefix theory Epref , it suffices to consider s{(f)) = 
stext('I'), where the notion of extended subterm is recursively defined as follows: 

— stext(a) = {a} if a is a constant or a variable 
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— stext(/(ii,---,in)) = {/(ti,...,in)}UULiStext(ij) / G {dec, (, ) , proj^ , proja, pref } 
— stext(enc(i,w)) = {enc(t, u),enc(ii,u)} U stext(i) U stext(w) if t = (^1,^2) 
— stext(enc(i, u)) = {enc{t, u)} U stext(^) U stext(u) otherwise. 

Proposition 7.4. Consider the prefix theory Epref . For every S ~ ($, *) and S' 
such that S =^" S", n is polynomially bounded in the size o/ini($). 

We then deduce that deduction and static equivalence are decidable for the equa- 
tional theory Epref, which is a new decidabihty result. 

Corollary 7.5. Deduction and static equivalence are decidable in polynomial 
time for the equational theory Epref. 

Similarly, we may retrieve decidability of deduction and static equivalence for Ehom 
and Ebiind- However, we provide another criterion that allows one to derive these 
facts from existing results. 

7.3 A semantic criterion 

We now provide a semantic criterion that more generally explains why our pro- 
cedure succeeds on theories previously known to be decidable [Abadi and Cortier 
2006]. This criterion intuitively states that the set of deducible terms from any 
initial frame ip should be equivalent to a set of syntactically deducible terms. Pro- 
vided that failures are prevented and assuming a fair strategy for rule application, 
we prove that this criterion is a necessary and sufficient condition for our procedure 
to terminate. 

Definition 7.6 Fair derivation. An infinite derivation 

($0, *o) =^ . . . =^ ($„, *„) =^ . . . 

is fair iff along this derivation, 

(a) B rules are applied with greatest priority, and 

(b) whenever a A rule is applicable for some instance {I — > r, Z?, ti, . . . , t„, . . .), 
eventually the same instance of rule is applied during the derivation. 

Fairness implies that any deducible term is eventually syntactically deducible. 
This result follows from Lemma 5.3 and Lemma 5.4. 

Lemma 7.7. Let Sq = ($0, *o) =^ ■ ■ ■ =^ {^n, ^n) =^ ■ ■ • be an infinite fair 
derivation from a state Sq. For every ground term t such that $0 I^E i, either 
($0, ^0) =^* ^ or there exists i such that $i h t\.ji. 

Proof. Let i be a ground term deducible from $i modulo E. There exists io 
such that Af >$. in and io — >* ^J-tj- This means that there exist a (public) context C 
and some deduction facts Afi O ti, . . . , M„ \> t„ G $; such that M = C[Mi, . . . , Mn] 
and io = C[ti,. . . ,t„]. 

We show that either ($^,4'.;) =^* _L or there exists j > i such that tl-j^ is 
syntactically deducible from $j, by induction on io equipped with the order < 
induced by the rewriting relation (that is ii < ^2 if and only if ^2 ~^^ ii)- 
Base case: ip = t-liz- ^^ such a case, since ^i h to, we have that ^i h t],^. This 
allows us to conclude. 
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Induction step: to — >■ t' — >* t^Tj. 

Along a fair derivation, B rules are applied in priority. Hence, we choose the 
smallest ii > i sueh that no more B rules can be applied from ($ij,^ij). Note 
indeed that there is no infinite derivation with only B rules (Proposition 7.2). We 
have stih that C[Mi, ..., M„] [>$^^ to ^ t'- 

Applying Lemma 5.4 and observing that no B rule can be applied from ($i^ , ^^^ ) , 
we are in one of the following cases: 

— ($ij , vjf j^ ) =^ ±. In such a case, we easily conclude since ($0: *o) ==^* -L- 
— ^ij h t" for some t" such that t' — )-^ t" . In such a case, we conclude by applying 
our induction hypothesis since t" < t' < io- There exists j > ii such that 

— Otherwise an instance {I ^ r, D, ti, . . . ,tn, ■ ■ ■) of a A rule is applicable. Note 
that this instance is entirely determined by the rewrite rule I — ^ r involved in the 
rewriting step io -^ t' , the deduction facts Mi t> ti (1 < i < n) and the public 
context that witness the fact that $.; h to- 

By fairness, we know that a A rule will be applied along the derivation for the 
same instance (Z — >■ r, £), ti, . . . , t„, . . . ). Let i2 be the indice on which this instance 
is applied. We have that 12 > ii- Note that since B rules are applied in priority, 
($i2, ^ij) is saturated for B rules. Either, we have that ($^3, ^i, ) =^ 1. (and thus 
($„vl/,) =>* ±) or ($.,,*,,) =» ($,,+i,v[/,^+i). 

We have that C[Mi, . . . , Af„] >$., to and to -^n t'. By Lemma 5.4, either 
($42, *ij =^ _L or there exists ($'j^, *^J, M' and t" such that: 

—M' >$' t" with t' ^t, t"; and 

— *^2 hC[Afi,...,A/„]MA/'. 

Actually, the instance of the A rule that is applied in this derivation is entirely 
determined by the rewrite rule I — > r involved in the rewriting step to — >■ t', the 
public context C and the deduction facts Mi [> t,; {1 < i < n) that witness the fact 
that $i h to (and thus ^^^ h to). Hence, we have that ($^^, VP^J = {^i2+i: *i2+i)- 
Thus we have that M' l>^', t" with t" ^* tj,^ and t" < t' < t. We can apply 
our induction hypothesis, either ($12+17^12+1) ^^* -^ (and thus ($i,^i) ^=>* _L) 
or there exists j > i2 + ^ such that $j h t^^j. D 

Our termination criteria (Property {ii) below) is a semantic criterion. It is related 
to the notion locally stable introduced in [Abadi and Cortier 2006]. 

Proposition 7.8 criterion for termination. Letip be an initial frame such 
that lmt{(p) =^* _L. The following conditions are equivalent: 

(i) There exists a saturated couple ($,^) such that lnit{Lp) =^* ($,^). 

(ii) There exists a (finite) initial frame ips such that for every term t, t is deducible 
from ip modulo E iff tJ-Tj is syntactically deducible from ips . 

(Hi) There exists no fair infinite derivation starting from Init((^). 
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Proof. (iU) => {i): trivial. Indeed by using a fair derivation we will eventually 
reach a weakly saturated state, (i) =^ (ii): Let $ = {Mi [> si, . . . , M^ [> se} and 
ips = {wi > Si, . . . , Wf > Si}. Let < be a ground term. By Theorem 4.6, we have 
that 3M . M O^ i iff 3M . M 0$ 4^, i.e. 3M . M \>^^ 4^. (ii) ^ {in): we need to 
prove that there exists no fair infinite derivation starting from Init{ip). 

Let (fis = {wi l>si, . . . , Wf [>Sf} an initial frame such that for every t, 3M . M\>^t 
is equivalent to 3M . AI \>ip^ 4k- Assume by contradiction that there is an infinite 
fair derivation ($0, *o) =^ • • • =^ ($n, *n) =^ • • ■ with ($0, *o) = lmt{ip). 

By Lemma 7.7 and since Init((p) =7^* _L, we deduce that there exists jq such 
that each s^, 1 < i < ^ is syntactically deducible from $iQ. Since there is no 
infinite derivation with only B rules (Proposition 7.2), we can also assume that no 
B rule can be applied from $4^. We have that 3M . M O^ t is now equivalent to 
3M . M >$. 4k thus the A. 2 rule cannot be applied either. We deduce that no 
deduction facts are added to $io along the derivation, that is $_,- = $j„ for every 
j > «o- Since no deduction fact are added, only a finite number of A.l rules can 
be applied, which contradicts the existence of an infinite chain. D 

Together with the syntactic criterion described in Section 6 to prevent non-failure, 
this criterion (Property (ii)) allows us to prove decidability of deduction and static 
equivalence for layered convergent theories that belong to the class of locally stable 
theories defined in [Abadi and Cortier 2006]. As a consequence, our procedure 
always saturates for the theories of blind signatures and homomorphic encryption 
since those theories are layered and have been proved locally stable [Abadi and 
Cortier 2006]. Other examples of layered convergent theories enjoying this criterion 
can be found in [Abadi and Cortier 2006] (e.g. a theory of addition). While 
in [Abadi and Cortier 2006] the decision algorithm needs to be adapted for each 
theory, we propose a single (and efficient) algorithm that ensures a unified treatment 
of all these theories. 

8. IMPLEMENTATION: THE TOOL YAPA 

YAPA (Yet Another Protocol Analyzer) is an Ocaml implementation of the satu- 
ration procedure presented in Section 4 with several optional optimizations. It can 
be freely downloaded^ together with a brief manual and examples. 

The tool takes as input an equational theory described by a finite convergent 
rewrite system, as well as frame definitions and queries. The procedure starts by 
computing the decompositions of the rewrite system. By default, the following op- 
timization is done: provided that the rewrite rules are given in an order compatible 
with the sets TZq C . . . C TZn+i of Definition 6.2, the tool is able to recognize lay- 
ered theories and to pre-compute the associated contexts C related to condition (ii) 
of this definition. This allows resolving the failure cases as soon as they appear, 
rather than later on, when the saturation procedure has made enough progress. 
This optimization was studied in a first version of this article [Baudet et al. 2009] 
but as the practical benefits appear to be minor (see below), we chose not to keep 
these technical developments in this version for the sake of notational simplicity. 



http: //www. Isv. ens-cachan.fr/~baudet/yapa/index.htnil 
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Another optimization concerns a specific treatment of subterm convergent the- 
ories but does not induce any difference with the theoretical procedure presented 
here. Except for the first (optional) optimization mentioned above, the algorithm 
foUows the procedure described in Section 4, using a minimal function Ctx in the 
sense in Section 6.3, and a fair strategy of rule application (see Definition 7.6). 

We have conducted several experiments on a PC Intel Core 2 Duo at 2.4 GHz 
with 2 Go RAM for various equational theories (see below) and found that YAPA 
provides an efficient way to check static equivalence and deducibility. Those ex- 
amples are available at http://www.lsv.ens-cachan.fr/~baudet/yapa/index. 
html. The figures given below are valid for the versions with and without optimiza- 
tions. 

For the case of Epnc- we have run YAPA on the frames: 






{wi l> t°,W2 l> co,W3 \> ci}, and 

{Wi O t,\,W2 l>Co,W3 [>Ci}, 



where tg = c^ and t\^j^i = {&nc{t. 



n 7 n/ 7 n 



i e {0, 1}. These examples allow us to 
increase the (tree, non-DAG) size of the distinguishing tests exponentially, while the 
sizes of the frames grow linearly. Despite the size of the output, we have observed 
satisfactory performances for the tool. 



Equational 
theory 


tenc 

n= 10 


tenc 
71= 14 


tenc 

n= 16 


tenc 

n = 18 


tenc 

71 = 20 


Execution time 


< Is 


1,7s 


8s 


30s 


< 3min 



We have also experimented YAPA on several convergent theories, e.g. EbUnd, 
Ehomj Epref and the theory of addition Eadd defined in [Abadi and Corticr 2006]. 

Comparison with ProVerif. In comparison with the tool ProVerif [Blanchet 2001; 
Blanchet et al. 2008], here instrumented to check static equivalences, our test sam- 
ples suggest a running time between one and two orders of magnitude faster for 
YAPA. Also we did not succeed in making ProVerif terminate on the two the- 
ories Ehom and Eadd- Of course, these results are not entirely surprising given 
that ProVerif is tailored for the more general (and difficult) problem of protocol 
(in)security under active adversaries. In particular ProVerif's initial preprocessing 
of the rewrite system appears more substantial than ours and does not terminate 
on the theories Ehom and Eadd (although termination is guaranteed for linear or 
subterm-convergent theories [Blanchet et al. 2008]). 

Comparison with KiSs.. The tool KiSs (Knowledge in Security protocols) is a 
C-I--I- implementation of the procedure described in [Ciobaca et al. 2009]. This pro- 
cedure reused the same concepts than the one presented in a preliminary version 
of this work [Baudet et al. 2009] . The performances of the tool YAPA are compa- 
rable to the performances of KiSs. However, since the tool KiSs implements DAG 
representations for terms, it docs better on the example developed above. From 
the point of view of the equational theories the tools are able to deal with, they are 
incomparable. KiSs allows one to consider some equational theories for which our 
procedure fails (e.g. the theory of trapdoor bit comnutmcnt). 

Conversely our procedure is guaranteed to terminate (without failure) for theories 
that are not considered by the procedure implemented in KiSS. The only general 
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class of theory for which KiSs has been proved to terminate is the class of subterm 
convergent equational theory. 

9. CONCLUSION AND FUTURE WORK 

We have proposed a procedure for checking deducibility and static equivalence. 
Our procedure is correct and complete for any convergent theory and is efficient, as 
shown by its implementation within the tool YAPA. Since deducibility and static 
equivalence are undecidable in general, our algorithm may fail or may not terminate. 
We have identified a large class of equational theories (called layered convergent) 
for which non-failure of the procedure is ensured. Since termination can then often 
be easily proved by hand, we have obtained a new decidability result for the prefix 
theory. We have also proposed a semantic (and exact) characterization for the 
procedure to terminate. This again yields a new decidability result for locally 
stable, layered convergent theories. 

As further work, we would like to extend our procedure to theories with asso- 
ciative and commutative operators. A first possibility would be to implement the 
decidability result of [Cortier and Delaune 2007] for monoidal theories (that in- 
clude many theories with associative and commutative operators) and to combine 
the two procedures using the combination theorem of [Arnaud et al. 2007]. However, 
it seems much more efficient to integrated associativity and commutativity directly 
and this could even open the way to a more powerful combination technique. 

The tool KiSS, developed recently [Ciobaca et al. 2009], supports several equa- 
tional theories for which our procedure fails. Conversely our procedure is guaran- 
teed to terminate (without failure) for classes of theories that are not considered 
by the procedure implemented in KiSS. It would be interesting to compare the 
techniques and possibly to combine them in order to capture more theories. 
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APPENDIX 



Lemma 5.2 completeness, syntactic deduction. Lef($,vl/) he a state, M^^ 
t^ ^ ^. Let N, t be two terms such that t G st(io) cind N [>$ t. Then there exists 
($', *') and N' such that: 

—($,*) =^* ($',*') using B rules, and 
—N' > t e $' and *' h ^ 1X3 ^'■ 

Proof. By hypothesis, we have that N ><[, t. This means that there exists 
a pubUc context C and some facts Mi O ii , . . . , M„ > i„ G $ such that N = 
C[Mi, . . . , Af„] and t = C[ti, . . . , tn]- Let C be such a context whose size is minimaL 
Wc show the resuh by structural induction on C . 

Base case: C is reduced to an hole. Let ($', *') = ($, *) and A^' = N. The result 
trivially holds. 

Induction step: C = /(Ci, . . . , Cr) with / G J^pub of arity r. In such a case, we have 
t = f{ui, . . . , Ur) and Ci[Mi, . . . , M„] l>$ u^ with m^ G st(to) for each 1 < i < r. 
Thus, wc can apply our induction hypothesis. We deduce that there exists ($i, 4'i) 
and terms N[, . . .N^ such that: 

—($,*) =^* ($i,*i) using B rules, 

—Nl [> Mi G $1 and *i |= Ci[Mi, ..., M„] M TV/ for each 1 < i < r. 

From this we easily deduce that vj/j^ |= A^ tx: f{N[, . . . , N^). Wc apply one B rule. 
Wc have that Mq [> to, N[ \> m, . . . , N^ [> Ur E ^i, t ^ f{ui, . . . ,Ur) G st(to) and 
/ G -^pub- We distinguish two cases: 

Rule B.l: Assume that for all Mt we have that {Mt > t) ^ $i. 

Let $' = $1 U {J{N[, . . . , A^;) O t}, *' = *i and A^' = f{N[, ..., N^.). In order 
to conclude it remains to show that ^' ^ N t< N' . This is an easy consequence of 
the fact that '^i\=N(xi f{N[, ...,N^). 

Rule B.2. Assume that there exists Mt such that Mt > t G $i. 

Let $' = $1, *' = *i U {f{N{,...,N^) ex MJ and A^' == Mt. In order to 
conclude it remains to show that ^)' [^ N >i N' . We have *' ^ f{N[, . . . , A'^^) cxi N' 
and *' ^ TV [X] f{N[, ..., N^). This allows us to conclude. D 

Lemma 5.3 completeness, syntactic equations. Let{^,'^) be a state, and 
M , N be two terms such that M l>$ t and N 0$ t for some term t. Then there 
exists ($',^') such that: 

— ($, v]/) =>* ($', v[/') using B rules, and 
— *' \=MtxiN. 

Proof. By hypothesis, we have that M [><i, t and A" ><[, t for some term t. By 
definition of >$, wc have that 

— M = C[Mi, . . . , A/fc], A^ = C"[A^i, . . . , A^f] for some contexts C, C", 
— the facts A/i [> ti, . . . , Mk > t/t and A^i > wi, . . . , A'^ O u^ are in $, 
— C[ii,...,ifc] = C'[ui,...,ue\. 
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We prove the result by structural induction on C and C". We assume w.l.o.g. that 
C is smaller than C" (in terms of number of symbols) . 

Base case: C is reduced to an hole. We have that C[Mi, . . . , Mk] = Ah- By hy- 
pothesis, we have that N[>^t = ti and thus t e st(ii). Thanks to Lemma 5.2, there 
exists ($', vp') and N' such that ($, *) =>* ($', "if') using a B rule, N' t> ti e $' 
and *' 1= TV [^ iV'. Since Mi [> ti and A^' [> ii are both in $', we deduce that 
A^' = A/i. Hence we have that N' ~ M and thus we easily conclude. 

Induction step: C — f{Ci, . . . ,Cr) and C" = /(C(, . . . , C^) where / G -^pub is 
a symbol of arity r and Ci, . . . , C^, C(, . . . , C^ are contexts. Moreover, we have 
that Ci[ii, . . . , tk] = Cj'[wi, . . . , ui] for every 1 < i < r. By applying the induction 
hypothesis, we deduce that there exists ($', ^') such that 

—($,*) =^* ($',*')> and 

— *' 1= Q[Mi, . . . , Mfe] M CHiVi, . . . , A^^] for every l<i<r. 

Hence, we have that '$' ^ M [x\ N. This allows us to conclude. D 

The following lemma justifies the notion of decomposition (Definition 4.1) as far 
as completeness is concerned. 

Lemma A.l decomposition of a context reduction. Let ^ be a frame, 
I a (plain) term, a a substitution, and M a term such that M [>$ la. Then there 
exist 

— a {n^p,q) -decomposition D of I, written I ^ D[li, ... ,ln,yiT ■ .yp+q], 
— n deduction facts Mi t> ti, . . . , Mn > tn in $, 
—p + q recipes Ni, . . . , Np+q 

such that 

— for every 1 < i < n, ti = Zjcr and 
— for every I < j < p + q, Nj [>$ yja. 

In particular, D[Mi, . . . , M„, A^i, . . . Np+g] l>$ la. 

Besides, if I is a left-hand side of rule in TZ and $ is TZ-reduced, D is a proper 
decomposition (i.e. D ^ Wi). 

Proof. Since M ><(, la, by definition there exists C and M° [> t°, . . . , M"j O t°„ 
in $ such that M = C[M^, ..., M0„] and la = C[t°, ...,*„]. 

Let xi, . . . , Xm be fresh variables. Given that C[xi, . . . ,Xm\ and I unify and 
have distinct variables, there exists a largest common context Dq such that I = 
Do[li, ...,l°,y1,..., y'^] and C = Do[wj^ , . . . ,Wj^,Di, . . . ,Db] where the terms /,° 
are not variables and Dq uses all his parameters: in particular la = C[i", . . . ,t^] 
means that 

— for every 1 < fc < a, l^a = t'j , and 
—for every l<k<b, yla = Dk[t\, . . . , i?„] 

Let n be the cardinal of {?"'•■• > ^al- For each distinct U in {/J, . . . , /q} (1 < i < n), 
we choose k in {1, . . . , a} such that U = l^ and define Mi = M° and ti = l^a = ka. 
Besides, for every k' such that ?)?, = /^, we define Wk' = w^. 
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Let p be the cardinal of {j/", . . . , y"} n var(Zi, . . . , /„). For each, distinct yj in 
{yj, . . . , J/"} (1 < j < p), we choose k in {1, . . . , 6} such that yj = y° and define 
Nj = Dk[M^, . . . , A/^]. Besides, for every k' such that y", = y°, we define Wa+k' = 

Wp+j . 

Let g = b — p. We repeat the same operation for each distinct yj in {y^, . . . , y|^} — 
var(/i, . . . , In) {p+l < j <p + q). 

Finally, we let D = Dq[wi, . . . , Wa+t]- By construction, we have that 

— / = D[li,...J„,yi,...yp+g], 

— the li are mutually distinct non-variable terms and the yt are mutually distinct 

variables. 
— yi G var(Zi, . . . , /„) iS i < p. 
— Mi > ti is in $, 

— for every 1 < i < n, ti ~ lia, and 
— for every I < j < p + q, Nj l>$ yjC. 

As for the last sentence, if D is a parameter, so is Dq. As I ~ y^ is impossible 
for a convergent system TZ, we have Dq = w^ with k < a. Hence C ~ Wj^, and 
tl = C[t1, ...,tl]= la is not 7^-reduced. D 

Lemma 5.4 completeness, context reduction. Let ($,*) be a state and 
M , t, t' be three terms such that M l>$ t and t -^-ji t' . Then, either ($, ^) =^* _L 
or there exist ($','!''), M' and t" such that 

—M' l><i>' t" with t' ^^ t", and 
— *' h ^^ cx M'. 

Besides, in both cases, the corresponding derivation from ($, ^) can be chosen to 
consist of a number of B rules, possibly followed by one instance of A rule involving 
the same rewrite rule I ^f r as the rewrite step t — j-tj t' . 

Proof. By hypothesis, there exist a (public) context C and some deduction facts 
Mfot?, . . . , M^„>4„ e $ such that M = C[Ml . . . , M^^J and t = C[t\, ..., ^J. 

Moreover, there exist a position a, a substitution a and a rewrite rule I ^ r E TZ 
such that ila = la and i' = t[rcr]a. 

We note that a must be a (symbol) position of C since the i° are 7?.-reduced. 
Hence we may write C\a[ti, . . . , t°j ] = /cr. 

By Lemma A.l, we deduce that there exist 

— a proper (n,p, (7)-decomposition D oil: I ^ D[li, . . . ,ln,yi, ■ ■ .yp, zi, . . . Zq], 
—Ml [>ti, ..., M„l>i„ in $, 

— A^l, ...,Np + g 

such that 

— for every I < i < n, ti ~ Ua, 

— for every 1 < j < p, Nj l>$ yjO, and 
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— for every I < k < q, iVp+fc [>$ Zkcr. 
In particular, we obtain that 

mU = cu[m°,...,aCJ >* CU[t?,...,4j = /a 

D[Mi, . . . , Mn, Ni, . . . , Np+g] [>$ D[ti, . . . ,tn,yicr, . . . ,ypa, zia, . . . , Zga] = la 

Thus, by Lemma 5.3, there exists a derivation ($, ^) =>* ($i, ^i) using B rules 
such that fi 1= M\a t< D[Mi, ..., M„, A^i, . . . , Np+q]. 

Besides, since j/j belongs to var(Zi, . . . , /„) by definition of decompositions, yjcr is 
a subterm of some Ua = ti. Since Nj t>^yja, by applying Lemma 5.2 repeatedly, we 
deduce that there exist some term Mn+i, ■ ■ ■ , Mn+p and a derivation ($i, ^I^i) =>* 
(<I>2, ^2) using B rules such that for all j, 

— Mn+j [> j/jfT is in $2, and 

Let A^ = D[Mi, . . . , A/„+p, iVp+i, . . . , Np+q]. We deduce that N l>$2 /ct, and 

*2 h ^^U t^ ^[^^1, . . . , Af„, iVi, . . . , Np+q] M TV 

We now consider the application to ($2, ^2) of aA rule that involves the rewrite rule 
I — > r, the decomposition Z?, the plain terms (ti, . . . , tn+p) = (^1, . . . , Z„, yi, . . . , yp)o- 
and the substitution a' = (T|y obtained by restricted the a to the domain V = 
var{li,...,ln) = var(Zi,...,/„,yi,...,2/p). 

Case A. 3. If {ra')],-j^ is not ground and Ctx($J h^ r-cr') = ± where $;^ = 
<f>2 U {zi [> zi, . . . , Zg l> Zq}, then we may conclude that ($2, 'I'2) =^ -^ by an 
instance of rule A. 3 involving I — > r, the decomposition D and the facts A/i [> 
ti,. . . ,M„_|_p > i„+p. 

Case A.l. If there exists A^o = Ctx((f>J h'j^ ra') where (f>J = (f>2 U {zi [> zi, . . . , z, [> 
Zq}. By Property (b) of Ctx. let sq be such that A^o l>$.,u{2i....,z } •^o a-nd rcr' — !>^ sq, 
and define 

_$' = $2, 

— *' = *2 U {Vzi, . . . , Zq.D[Mi, ..., Mn+p, zi, . . . , z,] M iVo}, 
— M' = M[Mo]a where Mq - A^o {^^ ^ Arp+»}i<^<q, 
— i" == t[io]Q = t'[to]a where io = sq {zi ^ Zia}i<i<q. 

By construction, we have ($2, ^2) =^ ('&', ^') by an instance of rule A.l. 

Besides, ra' — !>^ sq implies t'\a = ra — >-^ io and t' — >-^ t" . 

Given that a G pos(C) (where C is the previously context related to M l>$ t) 
and Mo >*' io, we have that M' == Af [A/o]^ >$/ i[io]a = i". 

It remains to show that ^' ^ Af Dxi M' . Indeed, we have seen that 4*2 \= M\a ix 
A'' where A^ = D[Mi, . . . , Af„+p, zi, . . . , Zg]{zi t-^ Np+i}i<i<q. Besides, by definition 
of*', it holds that vp' D vpj 3 ^i and we have that ^' |= D[Mi, ... , M^+p, zi, . . . , Zq] M 
A^o- Therefore, *' ^ A/|„ co Afo and '^' ^ M txi M[A/o]a = A/'. 

Case A. 2: if (rcr')!^ is ground and Ctx($J h^^ ra') = ± where $^ = $2 U {zi > 
zi, . . . ,Zg > Zq}, define 

— A'/q = D[A/i, . . . , A/„+p, a, . . . , a] and io = {ra')i^, 
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— $' = $2U{A/o[>io}, 

— *' = *2 U {Vzi, . . . , Zq.D[Mi, ..., A/„+p, zi,..., Zg] M Mo}, 

—M' = Af [Afo]a, and 

1" = t[io]a- 

where a is the fixed public constant of rule A. 2. 

By construction, ($, ^) =^ ($', ^') by an instance of the A. 2 rule. 

Since to is ground and a = a' a, we have to = i''^^)i-R.- Therefore t' = t\ra\a -^\ 

Given that a e pos(C) and by construction Afo ■>*' ^Oj we have A/' [><£>' t" . 

It remains to show that ^' |= A/ cxi M' . Indeed, we have seen that ^'2 ^ A/|q tx] 
N where iV = I?[A'/i, . . . , Af„+p, zi, . . . , Zg]!^^ i-)- A'p+i}i<i<g. By definition of *', 
it holds that *' |= iV cxi Afo hence ^' ^ M \>^ M{N\a ^ M[A^o]a = M' . 
The additional properties claimed on the derivation are clear from the construction 
above. D 



